You can configure a System Authorization Facility (SAF) profile prefix (previously referred to as a z/OS® security domain) by using the z/OS Profile Management Tool.
You can configure a SAF profile prefix by using the z/OS Profile Management Tool to customize your settings or on the SAF authorization options panel in the administrative console. This provides a new sample set of Resource Access Control Facility (RACF®) customization jobs that must only be run once when the domain is created.
/* CBIND profiles in case no server definition is set */ "RDEFINE CBIND CB.BIND.* UACC(NONE)" "RDEFINE CBIND CB.* UACC(NONE)"
/* CBIND CB.BIND.domain_name. */ "RDEFINE CBIND CB.BIND.TESTSYS.* UACC(NONE)" "RDEFINE CBIND CB.TESTSYS.* UACC(NONE)"
Use an APPL profile to protect WebSphere Application Server for z/OS. Sample profiles can grant a certain level of APPL access to everyone if you use the universal access authority, UACC, and grant access to the configuration group, unauthenticated user IDs, and all valid WebSphere Application Server for z/OS user IDs. A UACC(NONE) will give a default access of NONE to everyone. You can control whether the APPL class profile is used for authorization by setting the checkbox labeled "Use APPL profile to restrict access to the server" on the SAF authorization options panel in the administrative console.
RDEFINE APPL CBS390 UACC(NONE) PERMIT CBS390 CLASS(APPL) ID(TSCLGP) ACCESS(READ)
RDEFINE APPL TESTSYS UACC(NONE) PERMIT TESTSYS CLASS(APPL) ID(TSCLGP) ACCESS(READ)
The following EJBROLE profiles are defined for role-based authorization checks if there is no SAF profile prefix and the configuration group is defined as TSTCFG. Note that these are the minimum set of users requiring access to naming and administrative roles when System Authorization Facility (SAF) authorization is selected.
RDEFINE EJBROLE administrator UACC(NONE) RDEFINE EJBROLE monitor UACC(NONE) RDEFINE EJBROLE configurator UACC(NONE) RDEFINE EJBROLE operator UACC(NONE) RDEFINE EJBROLE deployer UACC(NONE) RDEFINE EJBROLE adminsecuritymanager UACC(NONE) RDEFINE EJBROLE auditor UACC(NONE) PERMIT administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT auditor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE CosNamingRead UACC(NONE) PERMIT CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingWrite UACC(NONE) PERMIT CosNamingWrite CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingCreate UACC(NONE) PERMIT CosNamingCreate CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingDelete UACC(NONE) PERMIT CosNamingDelete CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE TESTSYS.administrator UACC(NONE) RDEFINE EJBROLE TESTSYS.monitor UACC(NONE) RDEFINE EJBROLE TESTSYS.configurator UACC(NONE) RDEFINE EJBROLE TESTSYS.operator UACC(NONE) RDEFINE EJBROLE TESTSYS.deployer UACC(NONE) RDEFINE EJBROLE TESTSYS.adminsecuritymanager UACC(NONE) RDEFINE EJBROLE TESTSYS.auditor UACC(NONE) PERMIT TESTSYS.administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.auditor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE TESTSYS.CosNamingRead UACC(NONE) PERMIT TESTSYS.CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingWrite UACC(NONE) PERMIT TESTSYS.CosNamingWrite CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingCreate UACC(NONE) PERMIT TESTSYS.CosNamingCreate CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingDelete UACC(NONE) PERMIT TESTSYS.CosNamingDelete CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ)
CBIND profile definitions for servers
RDEFINE CBIND CB.BIND.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TSTC001 UACC(NONE) PERMIT CB.BIND.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.BBO* UACC(NONE) RDEFINE CBIND CB.TSTC001 UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TESTSYS.TSTC001 UACC(NONE) PERMIT CB.BIND.TESTSYS.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TESTSYS.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.TESTSYS.TSTC001 UACC(NONE)
RDEFINE CBIND CB.BIND.TSTC002 UACC(NONE) PERMIT CB.BIND.TSTC002 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TSTC002 UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.TST* UACC(NONE) PERMIT CB.BIND.TESTSYS.TST* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.TST* UACC(NONE)